The more I thought about this last night the more it bothered me so I decided to take a quick look to see if I could come up with something that would let me sleep easier. The patch below is likely whitespace mangled and probably won't apply cleanly but since I haven't done any testing I consider that a good thing.

+/**+ * smack_inet_conn_established - Setup a new inbound connection+ * @sk: the new child socket+ * @skb: the inbound packet+ *+ * Perform the setup of a new inbound stream connection; this basically means+ * check to see if the other end of the connection is configured as a single+ * or multi-label host and enure the new connection's socket is configured+ * correctly.+ */+static void smack_inet_conn_established(struct sock *sk, struct sk_buff *skb)+{+ struct iphdr *hdr;+ struct sockaddr_in addr;++ /* we only need to bother with IPv4 since we don't do IPv6 labeling */+ if (skb->protocol != htons(ETH_P_IP))+ return;++ hdr = ip_hdr(skb);+ addr.sin_addr.s_addr = hdr->saddr;+ if (smack_host_label(&addr) == NULL)+ return;++ /* the other end of this connection is configured as a single label,+ * unlabeled host so we need to make sure we aren't going to label+ * the socket */+ /* NOTE: this is _very_ important - we can only _remove_ the label at+ * this point, trying to add a label to the socket here could result+ * in a failure which we can't safely catch here due to the inability+ * to signal an error */+ smack_netlabel(sk, SMACK_UNLABELED_SOCKET);+}+ /* * Key management security hooks *@@ -2940,6 +2996,7 @@ struct security_operations smack_ops = { .sk_free_security = smack_sk_free_security, .sock_graft = smack_sock_graft, .inet_conn_request = smack_inet_conn_request,+ .inet_conn_established = smack_inet_conn_established,